解决Windows Server中Loopback问题
本文详细介绍了Windows Server 2003 SP1引入的Loopback安全检查机制及其引发的401.1错误问题,并提供了两种工作-around方案。
解决办法:
跟服务器有关,需要再每台服务器进行以下配置
New-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name "DisableLoopbackCheck" -value "1" -PropertyType dword
下面是有关 loopback问题的由来以及应对措施:
Windows Server 2003 SP1 introduced a loopback security check. This feature is obviously also present in Windows Server 2008. The feature prevents access to a web application using a fully qualified domain name (FQDN) if an attempt to access it takes place from a machine that hosts that application. The end result is a 401.1 Access Denied from the web server and a logon failure in the event log.
Unfortunately 401.1 is not really helpful as this error code means there is a problem with the user credentials. Of course, the HTTP spec doesn’t know about security features in a vendor’s implementation so there can’t be a HTTP error code for such a feature. This can lead to much banging of the head on the desk. It’s one of numerous causes of the 401.1 which are nothing to do with invalid credentials (e.g. attempting to use Kernel Mode Authentication with domain account in IIS7).
This problem occurs because of the way that NT LAN Manager (NTLM) treats different naming conventions as remote entities instead of as local entities. A local authentication failure might occur when the client calculates and caches the correct response to the NTLM challenge that is sent by the server in local "lsass" memory before the response is sent back to the server. When the server code for NTLM finds the received response in the local "lsass" cache, the code does not honor the authentication request and treats it as a replay attack. This behavior leads to a local authentication failure.
This issue was introduced from a security fix:
http://support2.microsoft.com/kb/957097/en
To work around this issue, we have two ways to do that:
扫一扫
1206
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
